Articles and Newsletters

THE FTC'S "RED FLAG RULES" REQUIRE LOCAL GOVERNMENTS TO IMPLEMENT IDENTITY THEFT PREVENTION PROGRAMS

By Heather R. Baldwin Vlasuk

On August 1, 2009, the Federal Trade Commission (FTC) will begin enforcing its so-called "Red Flag Rules" that require creditors, which may include governmental entities who bill for services such as utilities or emergency medical services, to create and implement a written identity theft prevention program. The Rules went into effect on January 1, 2008, but enforcement of the Rules has been once again postponed to allow entities more time to come into compliance with the regulations. The goal of the Rules is to attempt to minimize the occurrence and impact of identity theft.

Under the Rules, entities are given leeway to design and implement an identity theft protection program that is appropriate to their size, complexity and the nature of their business. Nonetheless, under the Rules, entities must do the following:

Step 1. Assess Whether Your Entity is Subject to the Regulation

An entity is subject to the Red Flag Rules if it extends "credit" and maintains "covered accounts." A "covered account" is defined as an account primarily used for personal, family or household purposes. Residential utility services and emergency medical services would qualify under this definition. "Credit" includes deferring payment for services to a later date, such as instituting payment plans or delaying payment to allow third party insurance providers to process claims for payment.

Step 2: Draft and Implement an Identity Theft Protection Program

Entities subject to the Red Flag Rules must design and implement an identity theft protection program which does the following:

1. Identifies Covered Accounts.

2. Identifies Red Flags - "Red flags" are warning signs of identity theft. Some types of "red flags" are:

   • Alerts, notifications, other warnings received from consumer reporting agencies;

   • Presentation of suspicious documents (e.g., obvious forgeries or physical descriptions or photos not matching the person providing the document);

   • Suspicious personally identifiable information (e.g., fictitious addresses, inconsistent personal information; lack of correlation between range and date of birth); and

   • Other suspicious activity on the account (e.g., suspicious change of address).

3. Detects Red Flags- the Program must contain reasonable approaches to detecting the identified "red flags." One example would be instituting a policy to verify the consumer's identity at the time of opening the account or rendering services.

4. Responds to Red Flags - the Program must set forth a process to prevent and mitigate the damaging effects of identity theft through appropriate responses to "red flags." Examples of appropriate responses may be:

   • monitoring covered accounts for evidence of identity theft;

   • contacting the account holder;

   • changing security codes for external access to consumer accounts;

   • declining to open an account or closing an existing account; and

   • notifying law enforcement.

5. Provides for administration of the program, periodic updates, and employee training.

Step 3. Approve the Program

The Rules require that the Program must be approved and adopted by the entity's board of directors or chief executive officer. In the local government setting, this will likely be the Mayor, City Manager, or Board of Trustees. Also, high level officials or employees must be involved in oversight, development, implementation, and administration of the Program. Annual internal reports must be given so that the entity can assess the success of the Program. In addition, the entity must ensure that outside service providers assisting it on the covered accounts, such as billing agents, adhere to their own identity theft prevention program.

Further Information

It is recommended that governmental entities consult with legal counsel to determine if they are subject to the Red Flag Rules and to create and implement a program in compliance with the Rules. If you have questions regarding the "Red Flag Rules," please feel free to contact Heather R. Baldwin Vlasuk at the law firm of Walter & Haverfield LLP at (216) 781-1212.